Black Listed by Barracuda - Need Some Help

RobertKaucher

Well, I would like to enlist some help as I am not sure what to do in this situation.

A few weeks ago a user ran exe from a spoofed email greeting card that looked like it came from the owner of the company. Her system started sending out spam messages. I got that taken care.

Then on Thursday we were black listed by Barracuda Networks as having an IP address that sends out excesive spam. I figured it was related to the previous incident and asked to be removed from their list.

All was well until Today. We are back on the list. So I am not sure what the hell to do here. I have been running WireShark on the email server and doing captures on the SonicWall gateway that we use. I have not seen anything on port 25 exiting our LAN other than traffic from the Exchange 2003 server. One of the first things I did upon becoming an admin here was to verify we were not an open relay, and I confirmed this again once I started having this issue. I am seeing a lot come accross the wire, but none of it seems like we are sending spam.

Do any of you have suggestions as to what I should be looking for that I have not seen yet or that might be obsure and I might not have looked into?

veritas_libertas

RobertKaucher wrote: »

Well, I would like to enlist some help as I am not sure what to do in this situation.

A few weeks ago a user ran exe from a spoofed email greeting card that looked like it came from the owner of the company. Her system started sending out spam messages. I got that taken care.

Then on Thursday we were black listed by Barracuda Networks as having an IP address that sends out excesive spam. I figured it was related to the previous incident and asked to be removed from their list.

All was well until Today. We are back on the list. So I am not sure what the hell to do here. I have been running WireShark on the email server and doing captures on the SonicWall gateway that we use. I have not seen anything on port 25 exiting our LAN other than traffic from the Exchange 2003 server. One of the first things I did upon becoming an admin here was to verify we were not an open relay, and I confirmed this again once I started having this issue. I am seeing a lot come accross the wire, but none of it seems like we are sending spam.

Do any of you have suggestions as to what I should be looking for that I have not seen yet or that might be obsure and I might not have looked into?

What a horror story I hope you are able to get it fixed.

apena7

It's a shot in the dark, but was that greeting card .exe only using port 25?

120nm4n

apena7 wrote: »

It's a shot in the dark, but was that greeting card .exe only using port 25?

Probably the case. Any computer on your network could potentially be sending email on any port. Run wireshark as close as you can (if not directly on) to your WAN connection. Don't filter it down to certain ports, but do look for SMTP / POP3 traffic.

apena7

120nm4n wrote: »

Probably the case. Any computer on your network could potentially be sending email on any port.

That's what I was banking on. I figured that a virus probably wouldn't use a conventional port to send spam.

RobertKaucher

120nm4n wrote: »

Probably the case. Any computer on your network could potentially be sending email on any port. Run wireshark as close as you can (if not directly on) to your WAN connection. Don't filter it down to certain ports, but do look for SMTP / POP3 traffic.

If it is not sending it on port 25, who would be recieving it?

A virus could send anything it wants out any port it wants, but if no one is listening on that port, who cares? It might clog my pipe, but it would not get me black listed.

hypnotoad

did the barracuda blocking you send you an NDR? If so, what was the error message?

here's a link to the knowledgebase article regarding why a barracuda does this:

Barracuda Networks - Worldwide leader in email and Web security

RobertKaucher

hypnotoad wrote: »

did the barracuda blocking you send you an NDR? If so, what was the error message?

here's a link to the knowledgebase article regarding why a barracuda does this:

Barracuda Networks - Worldwide leader in email and Web security

Yes, and that's how I knew we were listed. I'm working with them to get off the list, I just wish I knew why our IP was listed (not why Barracuda Networks lists IPs). Currently I have blocked all outgoing traffic on port 25 except from Exchange and I am allowing only incoming traffic from the IP ranges used by TrendMicro for their hosted spam filter service.

L0gicB0mb508

I'm pretty sure you will actually have to work with them to get off the list. I don't think they just stop blocking you once you stop sending traffic. Sometimes it takes a while to get off the blacklist.

Chivalry1

Step 1: Lock down the firewall!! No internal systems should be sending traffic on port 25. Only the Exchange 2003 server.

Step 2: Setup some type of independent IDS/IPS system. This will attempt to identify strange network traffic.

Step 3: Ensure that Anti-Virus is up to date on Exchange Servers.

Step 4: You will likely have to contact multiple DNS Blacklist companies. (Start with The Spamhaus Project )

As a consultant I have ran into this issue multiple times. Its tough getting off these list, but with a little effort you can get this worked out.

RobertKaucher

Chivalry1 wrote: »

Step 1: Lock down the firewall!! No internal systems should be sending traffic on port 25. Only the Exchange 2003 server.

Step 2: Setup some type of independent IDS/IPS system. This will attempt to identify strange network traffic.

Step 3: Ensure that Anti-Virus is up to date on Exchange Servers.

Step 4: You will likely have to contact multiple DNS Blacklist companies. (Start with The Spamhaus Project )

As a consultant I have ran into this issue multiple times. Its tough getting off these list, but with a little effort you can get this worked out.

I have been checking nearly hourly with services that look at multiple black lists. I have also been doing random samples of the network traffic on the exchange server and the gateway. Yesterday I blocked all SMTP traffic to our network from all sources except our anti-spam service from TrendMicro.

Yesterday I also blocked all outgoing SMTP traffic on the firewall except from the exchange server. So I'm glad to know you suggest doing those things.

I am working on setting up an IDS system now. I suppose it will be a 3 homed network, Linux system running SNORT... We'll see. Thanks for all the suggestions, guys.

Forsaken_GA

We've gotten caught by Barracuda a few times, both on our own mail cluster, and on some customers dedicated machines. They're usually not too much of a pain to get off of, our turnaround for being removed has always been under 24 hours, sometimes as few as 2. But we are *very* aggressive in killing the source once we're aware of it. If they've relisted you, then something got out. Make you sure you're looking at the alternate submission port as well and not just port 25, many mail servers have it open now thanks to ISP's and their aggressive port 25 filtering.

And pray you don't get listed on SORBS. Those guys are a REAL pain to get off of. We had to stop using their list due to too many false positives because they don't like to remove folks.

Ahriakin

They are likely using 3rd party Blacklists also when compiling their own, chances are you are still on one of them (as was suggested above) look beyond Barracuda even if they are the main symptom.

RobertKaucher

Jsut to update here. At about 2:00 this afternoon I had become confident that no more spam was leaving our network.

I then began looking at some other traffic such as DNS. I started finding DNS queries for many of the domains I was seeing in some of the bounce queues on the Exchange Server. I began looking in more detail by going to the DNS server and running WireShark. I saw a lot of queries coming from a single PC. This is a PC in a common area and can be used by any user without logging on. The user account for this PC has very limited access on the network.
This is what I found on it:
ThreatExpert Report: Trojan-Spy.Win32.Zbot.gen, TSPY_ZBOT.SM, Troj/ZbotPP-Fam, Mal/EncPk-CZ
TSPY_ZBOT.PF